Identification of a DNS packet as malicious based on a value

1. A method for determining and logging electronic devices based on behavior, the method comprising: capturing, at an electronic appliance, a domain name system (DNS) packet in communication traffic between a client device and a DNS server, wherein the DNS packet includes a header and a payload field of a plurality of payload fields, and wherein the plurality of payload fields correspond with at least one of a query field, a response field, an authority field, and an additional field; determining, by the electronic appliance, a domain name from the payload field; comparing, by the electronic appliance, the domain name from the payload field with a list of malicious domain names and a list of benign domain names; when the domain name from the payload field is included with the list of malicious domain names and not included in the list of benign domain names, determining a value of the DNS packet; when the value exceeds a specified threshold, identifying that the DNS packet is malicious; and transmitting, by the electronic appliance, the DNS packet to an auxiliary appliance, wherein the auxiliary appliance is configured to log the DNS packet remotely from the electronic appliance and store the DNS packet locally at the auxiliary appliance.

2. The method of claim 1 comprising: discarding a second DNS packet based on the identification of the second DNS packet as not malicious.

3. The method of claim 1 comprising: assigning a weight associated with a level of risk, wherein different weights are assigned to different levels of risk.

4. The method of claim 3 wherein a higher weight is associated with a higher level of risk.

5. The method of claim 1 further comprising: capturing a second DNS packet in the communication traffic between the client device and the DNS server; determining a second value of the second DNS packet; and when the second value is below the specified threshold, identifying that the second DNS packet is not malicious.

6. The method of claim 1 further comprising: summing a weighted value for the plurality of payload fields associated with a plurality of levels of risk.

7. The method of claim 1 further comprising: normalizing the value of the DNS packet through a normalization of weights.

8. The method of claim 1 , wherein the DNS packet includes a second payload field of the plurality of payload fields, wherein the second payload field is a question field, wherein contents of the question field is included in blacklisted data, and wherein the value is increased based on the contents of the question field being included in the blacklisted data.

9. The method of claim 1 , wherein the DNS packet includes a second payload field of the plurality of payload fields, wherein the second payload field is the authority field, wherein contents of the authority field are labeled as a low level of risk, and wherein the value is decreased based on the contents of the authority field being labeled as the low level of risk.

10. The method of claim 1 , the method further comprising: determining, by the electronic appliance, an ancestor domain name of the domain name from the payload field; and adjusting the value of the DNS packet based on the ancestor domain name.

11. The method of claim 1 , the method further comprising: assigning weights to a plurality of values associated with the DNS packet, wherein the weights are determined using a machine learning model.

12. The method of claim 11 , wherein a set of features are used with the machine learning model to learn a statistical function to determine the value of the DNS packet.

13. An electronic appliance comprising a processor and memory, wherein the processor is configured to implement computer-executable instructions stored on the memory to: capture a domain name system (DNS) packet in communication traffic between a client device and a DNS server, wherein the DNS packet includes a header and a payload field of a plurality of payload fields, and wherein the plurality of payload fields correspond with at least one of a query field, a response field, an authority field, and an additional field; determine a domain name from the payload field; compare the domain name from the payload field with a list of malicious domain names and a list of benign domain names; when the domain name from the payload field is included with the list of malicious domain names and not included in the list of benign domain names, determine a value of the DNS packet; when the value exceeds a specified threshold, identify that the DNS packet is malicious; and transmit the DNS packet to an auxiliary appliance, wherein the auxiliary appliance is configured to log the DNS packet remotely from the electronic appliance and store the DNS packet locally at the auxiliary appliance.

14. The electronic appliance of claim 13 is further configured to: obtain a function, wherein the function is used to determine the value.

15. The electronic appliance of claim 13 is further configured to: identify a second DNS packet as malicious based on a determination a second value is above the specified threshold; identify the second DNS packet as benign based on a determination the value is below the specified threshold; and readjust the specified threshold based on specified packet drop rate.

16. A non-transitory machine-readable storage medium comprising instructions that when executed by a processing resource cause an electronic appliance to: capture a domain name system (DNS) packet in communication traffic between a client device and a DNS server, wherein the DNS packet includes a header and a payload field of a plurality of payload fields, and wherein the plurality of payload fields correspond with at least one of a query field, a response field, an authority field, and an additional field; determine a domain name from the payload field; compare the domain name from the payload field with a list of malicious domain names and a list of benign domain names; when the domain name from the payload field is included with the list of malicious domain names and not included in the list of benign domain names, determine a value of the DNS packet; when the value exceeds a specified threshold, identify that the DNS packet is malicious; and transmit the DNS packet to an auxiliary appliance, wherein the auxiliary appliance is configured to log the DNS packet remotely from the electronic appliance and store the DNS packet locally at the auxiliary appliance.

17. The non-transitory machine-readable storage medium of claim 16 comprising instructions that when executed by the processing resource further causes the electronic appliance to: identify a second DNS packet as malicious based on a determination a second value is above the specified threshold; and identify the second DNS packet as benign based on a determination the value is below the specified threshold.

18. The non-transitory machine-readable storage medium of claim 17 comprising instructions that when executed by the processing resource further causes the electronic appliance to: discard the second DNS packet based on the identification of the DNS packet as not malicious.

19. The non-transitory machine-readable storage medium of claim 16 comprising instructions that when executed by the processing resource cause further causes the electronic appliance to: use a set of features related to the multiple payload fields; and obtain a function based on the set of features.

20. The non-transitory machine-readable storage medium of claim 16 comprising instructions that when executed by the processing resource further causes the electronic appliance to: assign the different weights to the different levels of risk, wherein each level of risk is assigned a different weight.